AKM Error Codes Reference

Page Information

Last updated: 10.19.2016

Chapter 1: About This Manual

Who is this for?

This guide is intended for AKM users who encounter errors on the AKM server. Error codes can be found in the akmerror.log file accessed via the web interface. See the AKM Server Management Guide for information on accessing the akmerror.log file.

This guide contains a list of common error codes and their resolutions. If you encounter other error codes, please contact Townsend Security Support.

Client applications and SDKs

Townsend Security provides the following applications and SDKs to assist with client-side key retrieval or remote encryption:

Notices

This product and documentation is covered by U.S. and International copyright law. This product may incorporate software licensed under one or more open source license agreements. Government users please note that this product is provided under restricted government use license controls. Please refer to the AKM End User License Agreement for more information.

Change log

The following table provides information on the changes to this documentation:

Version

Date

Description

0.01

1/28/09

Initial draft.

0.02

3/2/09

Updates to error codes for ReadSymKeyInstance.

0.03

3/11/09

Duplicate error codes removed and replaced with new codes.

0.04

5/1/09

The troubleshooting guide has been added to this manual. New error message codes have been added for licensing.

0.05

5/12/09

Update the error codes for the ALLKeyRtv client library. Update the troubleshooting guide.

1.00

5/15/09

Formal release of the documentation corresponding to version 1.0.3 of Alliance Key Manager

Chapter 2: AKM Admin Service Error Codes

The following table provides error messages you may encounter while using key management commands in the AKM Administrative Console or under program control. Error codes and messages are displayed in the Output and Status panes in the AKM Administrative Console and are also logged in the akmerror.log file on the AKM server.

You can only delete previous instances of a key. Use the “Display Key Instance List” to view previous instances. If you want to delete the current instance of a key you will need to delete the entire key with the “Delete Key” command.”

3018

DeleteKeyInstance ERR [value] Unable to delete key which is not deletable

The key has its attributes set to not allow it to be deleted. You will first need to change that attribute with the “Change Deletable” command

3022

DisplayKeyInstanceList ERR [value] No entry for key name [value]

The key you have defined for the “Display Key Instance List” command does not exist. Key names are case sensitive. Use the “Display Key Name List” command to verify the name of the key.

3025

DisplayKeyNameList ERR [value] No key names in data base

There are no keys stored in the keydatabase. Use the “Create Symmetric Key” command to create a key.

3031

DeleteKeyFromUserAccess ERR [value] No entry for KeyName [value]

The key you are trying to delete does not exist. Key names are case sensitive. Use the “Display Key Name List” command to verify the name of the key.

The key you are trying to retrieve from AKM has a future activation date. Use the “Display Symmetric Key Policy” command to verify the key’s activation date or use the “Activate Key” command to activate the key.

3115

GetSymKey ERR [value] Key has been revoked

The key you are trying to retrieve has been revoked. Use the “Activate Key“ command to activate the key.

3119

ImportSymKey ERR [value] key name already exists in database

The key name you are using to import a symmetric key with is already in use in the key database. Use the “Display Key Name List” command to verify the names of the existing keys, then choose another name for the key you are trying to import to avoid duplicates.

3120

ImportSymKey ERR [value] fopen failed for file [value]

The key file you are trying to import could not be opened. Verify that it is a valid symmetric key file.

3143

RevokeKeyInstance ERR [value] Cannot revoke current instance

You can only revoke previous instances of a key. Use the “Display Key Instance List” to view previous instances. If you want to revoke the current instance of a key you will need to revoke the entire key with the “Revoke Key” command.

The key you attempted to roll has been configured to automatically roll after a certain number of days. Use the “Display Symmetric Key Policy” command to verify the number of days set for automatic rollover, or use the “Change Rollover“ command to change the rollover policy to manual rollover.

3181

EditMetadataChars ERR [value] Invalid character <0xvalue> at position [value] in MD[value]

Only printable upper and lower case letters and numbers are allowed in the Metadata fields.

3184

ValidateDB ERR [value] No key names in data base

There are no keys stored in the key database. Use the “Create Symmetric Key” command to create a key.

3205

ImportCertificate ERR [value] no overwrite for existing file [value]

You are trying to import a certificate that already exists. Enable the Overwrite Existing Certificate option or import a different certificate.

Either the key you are attempting to retrieve or the instance for that key do not exist. Use the “Display Key Name List” and “Display Key Instance List” commands to verify the name and instance of the key.

The certificate you specified does not exist. Certificates are case sensitive. Use the “Get Certificate List” to verify the certificate’s name.

3581

EditCertType ERR [value] Invalid certificate type [value]

Several commands (DeleteCertificate, ExportCertificate, GetCertificateList and ImportCertificate) operate on either a CA Certificate or a Client Certificate. There is a 1-byte code in the request with the value A or C respectively. If a code other than A or C is passed this error is thrown.

3591

CrossEditDates ERR [value] Activation Date is after the Expiration Date

The activation date you specified comes after the currently set expiration date. Use the “Display Symmetric Key Policy“ command to verify the expiration date or the “Change Expiration Date” to adjust it.

The certificate you specified does not exist. Certificates are case sensitive. Use the “Get Certificate List “to verify the certificate’s name

3777

EditDeleteSymKey ERR [value] Some key instances not deletable for key name [value]

You are trying to delete a key where some instances of that key are not deletable. Use the “Display Key Instance List” command to display a list of all key instances associated with a given key. Use the “Display Symmetric Key” command to view the attributes of a given key instance. Use the “Change Deletable Command” to make the key instance deletable.

3910

ForceKeySync ERR [value] Key [value] is not enabled for mirroring

The symmetric key you are trying to mirror has not been enabled for mirroring. Use the “Change Mirror Key “command to enable the key for mirroring.

There are keys waiting to be mirrored. You need to allow the mirroring operation to complete or use the “Remove Mirror Address” to delete the configured mirror. Then use the “Set Mirror Address” command again to configure the mirror server.

4025

ExportSymKeyBatch ERR [value] No matching keys

The ExportSymKeyBatch command allows for the exporting of all AES keys meeting certain specified values in metadata fields. Should no keys be found matching the specified values, this error will be thrown.

4072

AuthAdmin ERR [value] AuthAdmin command not valid. DualKnowledgeRequired not set in conf file.

The DualKnowledgeRequired entry has not been set to Y (Yes) in the AKM configuration file. It is not necessary to authorize a second Crypto Officer before using key management commands. If you would like to authorize a second Crypto Officer for key management commands in order to satisfy requirements for dual control, see the AKM Administrative Console Guide for information on implementing dual control.

4073

EditAuthAdmin ERR [value] invalid minutes value [value]

The value you have entered is invalid. Use whole minutes.

4074

AuthAdmin ERR [value] AuthAdmin currently active, cannot reset

A dual control session has been set. This admin instance will be locked out until the other admin instance has logged in and the time period set has expired.

4096

ValidateAuthAdmin ERR [value] AuthAdmin window has not been set

The command you are trying to use requires that an administrator authorization time window is set. Have another administrator run the “Authorize Administrator” command.

The activation date you are trying to set cannot be on or after the expiration date that has been set for this key. Use the “Display Symmetric Key Policy” command to view the current expiration date for that key.

4332

EditNumeric ERR <%d> non-numeric character <%02x> hex

Many parameters in many commands provide numeric data in ASCII format. For example, the first argument of CreateSymKey is 00584 and is the length of the data that follows. The only values that are valid for these type of fields are [0123456789]. If any other value is present this error is thrown. The most common reason for this error is that the request buffer was not properly formatted.

4491

InsertEkmKey ERR <%d> sqlite3_step failed

The key <%s> already exists.

4513

EditHostName ERR <%d> Host name may not be all blanks

You are trying to define a mirror but have left the host name blank. The host name refers to the IP address of the mirror AKM server.

4514

EditMirrorPort ERR <%d> Mirror port may not be 0

You are trying to define a mirror but have left the port number blank. The default port number for mirroring is 6003.

4515

EditHostName ERR <%d> Host name may not be 0.0.0.0

You are trying to define a mirror but have set the IP to 0.0.0.0. This field needs to have a valid IP.

4541

DisplayEkmInfoList ERR <%d> No key names in data base

There are no EKM keys defined. Use the “Create EKM Key” command to create a key.

4546

EKeysSelectByName ERR <%d> No entry for key name <%s>

The DisplayEKeysPolicy command allows the admin to see the policy fields associated with an EKM key. If a KeyName is specified that does not exist, this error is thrown.

Chapter 3: AKM Encryption Service Error Codes

The following table provides common error messages you may encounter while using the AKM Encryption Service in your application. These error codes are logged in the akmerror.log file on the AKM server.

Error

Message

Resolution

3028

ParseDecEcbRecContinuationHdr

The length of the CipherText field is larger than the maximum allowed. For best results, limit the length of ciphertext to 16,272 bytes.

3459

EditEobFlag

The value for the EndOfRequestFlag must be Y (yes) or N (no).

4133

ParseDecEcbReqHdr

PackedFlag and FinalFlag cannot both be set to Y (yes) in this request. If FinalFlag is set to Y, the server will end the session after the response to this request is sent. If PackedFlag is set to Y, you indicate to the server that it should pack the responses, implying that more requests will be sent. Therefore, the session must remain open.

4134

ParseEncEcbReqHdr

PackedFlag and FinalFlag cannot both be set to Y (yes) in this request. If FinalFlag is set to Y, the server will end the session after the response to this request is sent. If PackedFlag is set to Y, you indicate to the server that it should pack the responses, implying that more requests will be sent. Therefore, the session must remain open.

4135

EditCipherTextFormat

The CipherTextFormat field value must be BIN, B16, or B64.

4136

EditFinalFlag

The value for FinalFlag must be Y (yes) or N (no).

4137

EditMoreBlocksFlag

The value for PackedFlag must be Y (yes) or N (no).

4138

EditNewKeyFlag

The value for NewKeyFlag must be Y (yes) or N (no).

4139

EditPaddingFlag

The value for PaddingFlag must be 1 byte: 7 (yes) or N (no).

4140

EditPaddingFlag

The value for NewKeyFlag must be 7 (yes) or N (no).

4141

EditPlainTextLen

The PlainTextLength field value must be composed of numeric characters.

4145

ParseEncEcbReqHdr

You probably sent your request with the NewKeyFlag set to N (no). The NewKeyFlag is set to N when you send a series of encryption requests that use the same key repeatedly. NewKeyFlag must be set to Y on the first request. Set the flag to Y, specify the key name, and try again.

4146

ParseEncEcbReqHdr

The length of the PlainText field is larger than the maximum allowed. For best results, limit the length of plaintext to 16,272 bytes.

4468

EditPlainTextFormat

The PlainTextFormat field value must be BIN, B16, or B64.

4469

ParseDecEcbReqHdr

You probably sent your request with the NewKeyFlag set to N (no). The NewKeyFlag is set to N when you send a series of encryption requests that use the same key repeatedly. NewKeyFlag must be set to Y on the first request. Set the flag to Y, specify the key name, and try again.

4470

ParseDecEcbReqHdr

The length of the CipherText field is larger than the maximum allowed. For best results, limit the length of ciphertext to 16,272 bytes.

4472

ParseDecEcbReqContinuationHdr

PackedFlag and FinalFlag cannot both be set to Y (Yes) in this request. If FinalFlag is set to Y, the server will end the session after the response to this request is sent. If PackedFlag is set to Y, you indicate to the server that it should pack the responses, implying that more requests will be sent. Therefore, the session must remain open.

4473

EditCipherTextLen

The CipherTextLength cannot be set to 0 bytes.

4474

ParseEncCbcReqHdr

You probably sent your request with the NewKeyFlag set to N (no). The NewKeyFlag is set to N when you send a series of encryption requests that use the same key repeatedly. NewKeyFlag must be set to Y on the first request. Set the flag to Y, specify the key name, and try again.

4475

ParseEncCbcReqHdr

The length of the PlainText field is larger than the maximum allowed. For best results, limit the length of plaintext to 16,272 bytes.

4476

ParseEncCbcReqHdr

PackedFlag and FinalFlag cannot both be set to Y (Yes) in this request. If FinalFlag is set to Y, the server will end the session after the response to this request is sent. If PackedFlag is set to Y, you indicate to the server that it should pack the responses, implying that more requests will be sent. Therefore, the session must remain open.

4553

ParseDecCbcReqHdr

You probably sent your request with the NewKeyFlag set to N (no). The NewKeyFlag is set to N when you send a series of encryption requests that use the same key repeatedly. NewKeyFlag must be set to Y on the first request. Set the flag to Y, specify the key name, and try again.

4554

ParseDecCbcReqHdr

The length of the CipherText field is larger than the maximum allowed. For best results, limit the length of ciphertext to 16,272 bytes.

4555

ParseDecCbcReqHdr

PackedFlag and FinalFlag cannot both be set to Y (Yes) in this request. If FinalFlag is set to Y, the server will end the session after the response to this request is sent. If PackedFlag is set to Y, you indicate to the server that it should pack the responses, implying that more requests will be sent. Therefore, the session must remain open.

4556

ParseDecEcbReqContinuationHdr

The length of the CipherText field is larger than the maximum allowed. For best results, limit the length of ciphertext to 16,272 bytes.

4557

ParseDecCbcReqContinuationHdr

PackedFlag and FinalFlag cannot both be set to Y (Yes) in this request. If FinalFlag is set to Y, the server will end the session after the response to this request is sent. If PackedFlag is set to Y, you indicate to the server that it should pack the responses, implying that more requests will be sent. Therefore, the session must remain open.

4560

ParseDecEcbReqContinuationHdr

The CipherTextLength cannot be set to 0 bytes.

4561

ParseDecEcbReqContinuationHdr

The CipherTextLength cannot be set to 0 bytes.

4562

ParseEncEcbReqHdr

If Padding is set to N on an encryption request, then the PlainTextLength must be a multiple of 16 bytes. If the length of plaintext to be encrypted is not a multiple of 16 bytes, set PaddingFlag to 7 (Yes) and the AKM server will provide PKCS #7 padding.

4563

ParseDecCbcReqHdr

The CipherTextLength cannot be set to 0 bytes.

4564

ParseDecEcbReqHdr

The CipherTextLength cannot be set to 0 bytes.

4565

ParseEncCbcReqHdr

The CipherTextLength cannot be set to 0 bytes.

4566

ParseEncEcbReqHdr

The PlainTextLength cannot be set to 0 bytes.

4567

ParseEncCbcReqHdr

If Padding is set to N on an encryption request, then the PlainTextLength must be a multiple of 16 bytes. If the length of plaintext to be encrypted is not a multiple of 16 bytes, set PaddingFlag to 7 (Yes) and the AKM server will provide PKCS #7 padding.

4568

ValidatePadding

The padding value must be in the range of hex 0x01 to 0x10. If you provide padding yourself in your application, make sure to use PKCS #7 padding.

4569

ValidatePadding

If plaintext is a multiple of 16 and padding is requested, 16 bytes of padding will be added. The minimum length of ciphertext will be 32 bytes. Make sure you have the correct length of ciphertext.

4570

ValidatePadding

If you provide padding in your application, you must provide PKCS #7 padding. If you provided another form of padding, it will not be recognized as valid.

4598

ParseEncEcbReqContinuationHdr

The length of the PlainText field is larger than the maximum allowed. For best results, limit the length of plaintext to 16,272 bytes.

4599

ParseEncEcbReqContinuationHdr

The PlainTextLength cannot be set to 0 bytes.

4600

ParseEncEcbReqContinuationHdr

PackedFlag and FinalFlag cannot both be set to Y (Yes) in this request. If FinalFlag is set to Y, the server will end the session after the response to this request is sent. If PackedFlag is set to Y, you indicate to the server that it should pack the responses, implying that more requests will be sent. Therefore, the session must remain open.

4601

ParseEncEcbReqContinuationHdr

If Padding is set to N on an encryption request, then the PlainTextLength must be a multiple of 16 bytes. If the length of plaintext to be encrypted is not a multiple of 16 bytes, set PaddingFlag to 7 (Yes) and the AKM server will provide PKCS #7 padding.

4602

ParseEncCbcReqContinuationHdr

The length of the PlainText field is larger than the maximum allowed. For best results, limit the length of plaintext to 16,272 bytes.

4603

ParseEncCbcReqContinuationHdr

The PlainTextLength cannot be set to 0 bytes.

4604

ParseEncCbcReqContinuationHdr

If Padding is set to N on an encryption request, then the PlainTextLength must be a multiple of 16 bytes. If the length of plaintext to be encrypted is not a multiple of 16 bytes, set PaddingFlag to 7 (Yes) and the AKM server will provide PKCS #7 padding.

4605

ParseEncCbcReqContinuationHdr

PackedFlag and FinalFlag cannot both be set to Y (Yes) in this request. If FinalFlag is set to Y, the server will end the session after the response to this request is sent. If PackedFlag is set to Y, you indicate to the server that it should pack the responses, implying that more requests will be sent. Therefore, the session must remain open.

4606

EditNewIvFlag

The value for NewIVFlag must be Y or N.

4607

ParseEncCbcReqHdr

If NewKeyFlag is set to Y, then NewIVFlag must also be set to Y.

4658

ParseDecEcbReqHdr

The length of ciphertext should be a multiple of 16 bytes. Make sure you are not accidentally truncating or augmenting the ciphertext.

4659

ParseDecCbcReqHdr

The length of ciphertext should be a multiple of 16 bytes. Make sure you are not accidentally truncating or augmenting the ciphertext.

4660

ParseDecEcbReqContinuaationHdr

The length of ciphertext should be a multiple of 16 bytes. Make sure you are not accidentally truncating or augmenting the ciphertext.

4661

ParseDecCbcReqContinuationHdr

The length of ciphertext should be a multiple of 16 bytes. Make sure you are not accidentally truncating or augmenting the ciphertext.

Chapter 4: AKM Client Error Codes

The following table provides common error messages you may encounter while using the AKM Client Library for Windows or AKM Key Connection for SQL Server. These Key Client errors represent AKM error codes received from the server and reported to the client. Other Key Client errors are possible. The error codes will match error codes found in the akmerror.log file on the AKM server, however, the exception message may be different.

Based on the server error code, one of these client-side exceptions is raised:

KeyAccessDeniedException

KeyExpiredException

KeyNotFoundException

KeyRevokedException

ServerException

ServerFailureException

These errors are reported directly to the Windows client, and indirectly by Key Connection for SQL Server (the message text is logged, but not returned to the SQL application, a SQL Server limitation.)

Error Code

Exception Class

Exception Message

3114

KeyExpiredException

Key ‘{0}’ instance ‘{1}’ has expired.

3115

KeyRevokedException

Key ‘{0}’ instance ‘{1}’ is revoked.

3275

KeyNotFoundException

Key name “{0}” not found on the key server.

3391

KeyAccessDeniedException

Access to key ‘{0}’ instance ‘{1}’ is denied.

3440

KeyNotFoundException

Key name “{0}” not found on the key server.

3572

Key permissions for requested key are not sufficient, often seen with code 3391.

3610

KeyAccessDeniedException

Access to key ‘{0}’ instance ‘{1}’ is denied.

3713

ServerException

Key server is shutting down. Key server error {0}.

3714

ServerException

Key server is shutting down. Key server error {0}.

3774

ServerException

Request {0} is not a supported feature for the installed version of the key server. Key server error {1}.

3775

ServerException

Request {0} is not a supported feature for the installed version of the key server. Key server error {1}.